Cisco Isovalent - new detections batch 1 #3706

patel-bhavin · 2025-10-02T00:04:52Z

New Analytic Story - [1]

Cisco Isovalent Suspicious Activity

New Analytics - [10]

Cisco Isovalent - Access To Cloud Metadata Service
Cisco Isovalent - Cron Job Creation
Cisco Isovalent - Curl Execution With Insecure Flags
Cisco Isovalent - Kprobe Spike
Cisco Isovalent - Late Process Execution
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
Cisco Isovalent - Pods Running Offensive Tools
Cisco Isovalent - Potential Escape to Host
Cisco Isovalent - Shell Execution
Cisco Isovalent - Suspicious Image Use

Updated Analytics - [6]

Macros Added - [3]

cisco_isovalent
cisco_isovalent_allowed_images
cisco_isovalent_process_connect.yml
cisco_isovalent_process_exec
excluded_cloud_binaries.yml
linux_offsec_tool_processes.yml

Data Sources Added [3]

Cisco Isovalent Process Connect
Cisco Isovalent Process Exec
Cisco Isovalent Process Kprobe

patel-bhavin · 2025-12-02T01:03:30Z

Holding off releasing this content until the CSC TA is fixed : targetting CSC TA 3.5.2

patel-bhavin · 2025-12-15T17:53:18Z

All detections passed using a test build provided by Pavlo : CiscoSecurityCloud-develop_2025-12-15_14-09.tar.gz

nasbench

One final review before merge.

detections/endpoint/cisco_isovalent___suspicious_image_use.yml

detections/endpoint/cisco_isovalent___non_allowlisted_image_use.yml

detections/endpoint/cisco_isovalent___shell_execution.yml

detections/endpoint/cisco_isovalent___potential_escape_to_host.yml

detections/endpoint/cisco_isovalent___kprobe_spike.yml

macros/excluded_cloud_binaries.yml

detections/endpoint/cisco_isovalent___access_to_cloud_metadata_service.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

…_service.yml Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

….yml Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

nasbench

LGTM

patel-bhavin added 27 commits August 14, 2025 14:27

adding 1 detection

9c53da8

one more

3fdd953

not sure

36aac51

adding draft detections

21b17fd

Merge branch 'develop' into isovalent_batch_1

40c9732

stash a commit

4f78689

updating sourcetype and fields

c9e8628

updating detections

2a8d3e4

textual updates

b54a8cc

new detection for sus images

fd21a77

udpating fields

fd5f7c2

adding new search

ed3bc02

Merge branch 'develop' into isovalent_batch_1

dff1a2c

testing TA

d602c7e

space

576fac3

fixing sourcetype

f21f9e4

updating detection and dataset

a50280d

updates to all files

b6058aa

updating isovalent detections

f800a3b

updating dataset

be1c385

Merge branch 'develop' into isovalent_batch_1

f692117

updating two detections

1bd337d

yaml fixes

e8d6292

fixing mitre

4fbadb3

added dataset for curl

64dd230

add new detection

03ff337

new detection

a181580

github-actions bot added Detections Stories Macros labels Oct 2, 2025

patel-bhavin dismissed nasbench’s stale review via f028e0b November 25, 2025 22:35

Merge branch 'develop' into isovalent_batch_1

9fe41fa

patel-bhavin removed this from the v5.19.0 milestone Dec 2, 2025

patel-bhavin added 3 commits December 2, 2025 14:51

Merge branch 'develop' into isovalent_batch_1

9ae4d7c

Merge branch 'develop' into isovalent_batch_1

7c02c55

Merge branch 'develop' into isovalent_batch_1

283549f

patel-bhavin and others added 3 commits December 16, 2025 18:43

adding contentctl

f595550

Merge branch 'develop' into isovalent_batch_1

a16e915

revert test app

67d6b83

nasbench added this to the v5.20.0 milestone Dec 18, 2025

patel-bhavin and others added 4 commits December 19, 2025 13:03

updating ctl

e5aaca4

Merge branch 'develop' into isovalent_batch_1

b560c21

Merge branch 'develop' into isovalent_batch_1

fbc120a

Merge branch 'develop' into isovalent_batch_1

dd7117d

nasbench self-requested a review December 19, 2025 16:10

nasbench reviewed Dec 20, 2025

View reviewed changes

patel-bhavin and others added 9 commits January 5, 2026 23:18

Update detections/endpoint/cisco_isovalent___suspicious_image_use.yml

8043f1e

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___suspicious_image_use.yml

8585804

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___access_to_cloud_metadata…

ac39379

…_service.yml Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___kprobe_spike.yml

d2b7bd5

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___shell_execution.yml

292f492

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___potential_escape_to_host…

12e73c8

….yml Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Update detections/endpoint/cisco_isovalent___shell_execution.yml

0ce848c

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

Merge branch 'develop' into isovalent_batch_1

c66be89

updating formatting and based on feedback from Nas

dacfc8a

nasbench approved these changes Jan 6, 2026

View reviewed changes

nasbench merged commit 6d1b940 into develop Jan 6, 2026
5 checks passed

nasbench deleted the isovalent_batch_1 branch January 6, 2026 00:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cisco Isovalent - new detections batch 1 #3706

Cisco Isovalent - new detections batch 1 #3706

patel-bhavin commented Oct 2, 2025 •

edited by nasbench

Loading

Uh oh!

patel-bhavin commented Dec 2, 2025 •

edited

Loading

Uh oh!

patel-bhavin commented Dec 15, 2025

Uh oh!

nasbench left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nasbench left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Cisco Isovalent - new detections batch 1 #3706

Cisco Isovalent - new detections batch 1 #3706

Conversation

patel-bhavin commented Oct 2, 2025 • edited by nasbench Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

New Analytic Story - [1]

New Analytics - [10]

Updated Analytics - [6]

Macros Added - [3]

Data Sources Added [3]

Uh oh!

patel-bhavin commented Dec 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

patel-bhavin commented Dec 15, 2025

Uh oh!

nasbench left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nasbench left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

patel-bhavin commented Oct 2, 2025 •

edited by nasbench

Loading

patel-bhavin commented Dec 2, 2025 •

edited

Loading